[PATCH] libmakepkg/integrity: handle PGP signature files containing multiple signatures

[Allan McRae]

On 25/6/22 21:44, Jonas Witschel wrote:

<snip>

> Therefore without being able to specify
> more detailed key usage policies in the PKGBUILD, trusting any valid signature
> seems to be a reasonable default, and is also in line with the current approach
> of trusting *any* of the keys in the validpgpkeys array.

Somewhat offtopic - I'd argue that it is poor packaging to have more 
validpgpkeys in a PKGBUILD than the key used to verify the source for 
that particular package version.  Lazily just adding more keys to a 
PKGBUILD and not removing unneeded ones in case they are needed in the 
future is not ideal.

<snip>

> Therefore I would argue that having such a threshold would be more of an
> improvement that could be based on v2 of the patch rather than a separate
> implementation: it could be easily achieved by changing arrays_intersect() to
> return the number of elements in the intersection and to compare that number
> with a new threshold variable specified in the PKGBUILD (which would default to
> 1 if unset in order to be backwards compatible).

How about...   all signatures from trusted keys (either through PGP web 
of trust, or via being in validpgpkeys) need to validate?

That does not solve the rogue maintainer issue (it is up to a packager 
to ask why the number of signatures dropped...), but it does address not 
needing to validate a legacy key.

Allan